Cap minimum length at 65535 and check for integer overflow.

2015-11-09 18:45:15 +00:00 · 2015-11-09 18:45:15 +00:00 · 6ce2ab6ce6
commit 6ce2ab6ce6
parent 00be5e56df
4 changed files with 25 additions and 3 deletions
--- a/3
+++ b/3
@ -275,6 +275,9 @@ especially when recursion or subroutine calls are involved.
 80. Allow for the possibility of the size of the nest_save structure not being
 a factor of the size of the compiling workspace (it currently is).

+81. Check for integer overflow in minimum length calculation and cap it at 
+65535.
+

 Version 10.20 30-June-2015
 --------------------------
--- a/src/pcre2_study.c
+++ b/src/pcre2_study.c
@ -7,7 +7,7 @@ and semantics are as close as possible to those of the Perl 5 language.

                       Written by Philip Hazel
     Original API code Copyright (c) 1997-2012 University of Cambridge
-         New API code Copyright (c) 2014 University of Cambridge
+         New API code Copyright (c) 2015 University of Cambridge

 -----------------------------------------------------------------------------
 Redistribution and use in source and binary forms, with or without
@ -123,7 +123,7 @@ for (;;)
  PCRE2_UCHAR *cs, *ce;
  register PCRE2_UCHAR op = *cc;

-  if (branchlength > UINT16_MAX) return branchlength;
+  if (branchlength >= UINT16_MAX) return UINT16_MAX;

  switch (op)
    {
@ -562,7 +562,13 @@ for (;;)
      break;
      }

-    branchlength += min * d;
+     /* Take care not to overflow: (1) min and d are ints, so check that their
+     product is not greater than INT_MAX. (2) branchlength is limited to
+     UINT16_MAX (checked at the top of the loop). */
+
+    if ((d > 0 && (INT_MAX/d) < min) || UINT16_MAX - branchlength < min*d)
+      branchlength = UINT16_MAX;
+    else branchlength += min * d;
    break;

    /* Recursion always refers to the first occurrence of a subpattern with a
--- a/testdata/testinput2
+++ b/testdata/testinput2
@ -4631,4 +4631,8 @@ a)"xI

 /\[()]{1024}/I,expand

+# Test minlength capped at 65535
+
+/(A{65000})\1{65000}/I
+
 # End of testinput2 
--- a/testdata/testoutput2
+++ b/testdata/testoutput2
@ -14743,4 +14743,13 @@ Capturing subpattern count = 1024
 May match empty string
 Subject length lower bound = 0

+# Test minlength capped at 65535
+
+/(A{65000})\1{65000}/I
+Capturing subpattern count = 1
+Max back reference = 1
+First code unit = 'A'
+Last code unit = 'A'
+Subject length lower bound = 65535
+
 # End of testinput2